‘Buying bad’: the black market where access to hacked Australian data can cost just $500

When personal data is stolen in a breach, such as the recent high-profile attacks on Optus and Medibank, it often begins a journey through a shadowy criminal marketplace which follows surprisingly traditional models of supply and demand.

Passwords, personal information, copies of identity documents and contact details of victims may pass through a web of transactions, mediated in online forums or hidden on the dark web, and denominated in cryptocurrency, before ending up in the hands of those who plan to exploit them.

"There are several different markets out there - or forums," Dean Williams, systems engineer at NortonLifeLock explains.

"You can often find verified data breach stores where you can search by the organisation name and have access to the entire list right down to buyer-seller platforms where you can buy different levels of [personal information] at different quantities."

The largest ones offer cybercrime products as a service, where you can order a distributed-denial-of-service attack to bring down a site, order ransomware tools or services and malware that people can then use on their proposed targets.

"It means that people can enter into the world of cybercrime without having traditional cyber skills because you are just 'buying bad', or renting," Katherine Mansted, director of cyber intelligence at CyberCX said.

Transactions are in cryptocurrency - often bitcoin. Initial access to an organisation in Australia can cost around US$500, but Mansted said there was no standard price because it depends on the size of the organisation, the quality of access, and the sector that organisation is in. The price is usually higher for companies in larger countries like the US.